Countervail

After the Breach: A Cybersecurity Checklist for Small Businesses

5–8 minutes

read

After a breach, the next scam usually sounds more legitimate

A breach is not always the final event. For small businesses, it is often the starting point.

Once criminals have names, emails, phone numbers, invoices, vendor details, employee roles, customer records, or account history, they have enough context to sound credible. They do not need a sophisticated exploit if they already know who handles payroll, which vendor sends invoices, when payments are due, and which executive appears to approve urgent exceptions.

The FBI’s 2025 Internet Crime Report recorded more than one million complaints and $20.877 billion in reported losses. Business email compromise accounted for more than $3.0 billion in losses, tech and customer support scams accounted for more than $2.1 billion, and personal data breach losses exceeded $1.3 billion.

Checklist titled 'After the Breach' outlining necessary actions for small businesses following a cyber incident, including immediate security measures, scams to watch for, risk reduction strategies, and a 30-day watchlist.

What current breaches reveal

The most damaging incidents are not limited to malware. Many start with ordinary business trust.

In 2025, Google Threat Intelligence Group reported a campaign targeting Salesforce environments through voice phishing. Attackers impersonated IT support, persuaded employees to authorize malicious connected applications, and used those permissions to extract Salesforce data. Google later disclosed that one of its corporate Salesforce instances, used for small and medium business contact information, was affected. The retrieved data was largely basic business contact information, but that type of information still supports phishing, impersonation, and extortion.

Allianz Life reported a July 2025 breach affecting the majority of its 1.4 million U.S. customers after a threat actor gained access to a third-party cloud system using social engineering. The exposed data included personally identifiable information tied to customers, financial professionals, and some employees. Allianz said its own internal systems were not compromised, but the breach still created exposure for the people whose information was taken.

CrowdStrike also reported that Scattered Spider activity in 2025 relied heavily on help desk voice phishing. Operators impersonated legitimate employees, answered verification questions, requested password or multi-factor authentication resets, and moved from compromised identity systems into connected cloud and SaaS platforms.

These cases matter to small businesses because the same tactics scale down. A criminal does not need access to a Fortune 500 environment to cause damage. A compromised mailbox, exposed invoice, stolen customer list, breached vendor record, or public staff page may provide enough detail to redirect a payment, take over payroll, impersonate a trusted partner, or pressure an employee into granting access.

The scams hitting small businesses now

Vendor change and fake invoice fraud

The FTC warns that scammers send phony invoices that look like routine business bills, hoping the person who pays invoices assumes the charge is legitimate. Scammers also impersonate companies or agencies, create urgency, and push payment through methods that are hard to reverse.

After a breach, this gets easier. An attacker with access to email, vendor names, invoice history, payment timing, or customer records does not need to guess. The message may reference a real vendor, a real invoice, a real project, and a real employee.

Post-breach action: Freeze any payment changes until verified through a known contact method already on file. Do not use the phone number, email address, or link inside the change request.

Payroll diversion

Payroll diversion often starts with a message that looks like it came from an employee asking to update direct deposit information. After a mailbox compromise or data exposure, the request may include enough personal or operational detail to pass a quick review.

This is especially dangerous in small businesses where one person may handle payroll, banking, benefits, and human resources. Informal trust becomes the control. Attackers exploit that trust.

Post-breach action: Lock payroll changes for at least one full pay cycle after a suspected compromise. Require verbal confirmation through a known number and documented approval from a second person.

Tech support and remote access scams

The FTC warns that tech support scams often start with a call or alarming pop-up claiming there is a computer security problem. The goal is money, remote access, or both. Scammers may gain access to sensitive data such as passwords, customer records, or credit card information.

The FBI’s 2025 report also describes call center fraud involving tech support and government impersonation. In one 2025 case, the FBI and Indian law enforcement dismantled a transnational cybercrime network that allegedly duped more than 600 U.S. citizens through tech-support and government impersonation scams, with victim reporting identifying more than $48.7 million in losses tied to the network.

Post-breach action: Tell staff that no vendor, bank, software company, law enforcement agency, or government office gets remote access because of an unexpected call, message, or pop-up.

AI-assisted impersonation

The FBI categorized 22,364 complaints in 2025 as AI-related, with reported losses of $893.3 million. The same report noted that businesses reported more than $30 million in BEC losses involving AI.

AI has not changed the fundamentals of fraud. It has made the language cleaner, the voice more believable, the targeting faster, and the volume higher.

Post-breach action: Treat polished language, familiar names, and realistic tone as irrelevant. Verification depends on a trusted channel, not whether the message sounds right.

The first 24 hours

The first day after a breach is about containment and evidence.

Secure the highest-value accounts first: email, banking, payroll, cloud administration, accounting systems, customer relationship management systems, file storage, and social media. Change passwords on exposed accounts. Turn on multi-factor authentication wherever available. Review recovery phone numbers, recovery email addresses, active sessions, connected applications, email forwarding rules, mailbox delegates, filters, and recent account changes.

Call banks and payment providers immediately if financial information, invoices, checks, ACH details, cards, payroll access, or payment systems were exposed. Ask them to monitor for suspicious transactions, block unauthorized transfers, replace exposed cards, and flag attempted account changes.

Preserve evidence before deleting anything. Save emails, texts, voicemails, invoices, headers, login alerts, screenshots, transaction records, file names, timestamps, suspicious domains, and caller details. This material supports recovery, insurance review, legal review, law enforcement referral, and internal corrective action.

Report cyber-enabled fraud to IC3.gov. Report identity theft to IdentityTheft.gov. Report scams to ReportFraud.ftc.gov. Notify legal counsel, insurers, affected vendors, and affected clients where appropriate.

Reduce follow-on exposure

A breach gives criminals raw material. Public exposure gives them the script.

Review business websites, staff pages, biographies, PDFs, old proposals, public filings, social media profiles, conference pages, podcast pages, and online directories. Remove unnecessary direct emails, personal phone numbers, mailing addresses, tax identification numbers, nonprofit identification numbers, detailed staff roles, executive travel references, family references, and internal process details.

Check exposed email addresses through Have I Been Pwned. Remove brokered personal information through DeleteMe or similar services. Prioritize owners, executives, finance staff, legal staff, human resources staff, information technology staff, executive assistants, and anyone with payment authority, access authority, or public visibility.

The point is not privacy for its own sake. The point is reducing the information criminals use to sound legitimate.

The 30-day watchlist

For the next 30 days, monitor for:

  • New credit inquiries
  • Password reset emails
  • Unexpected multi-factor authentication prompts
  • New forwarding rules or connected apps
  • New payroll or vendor banking changes
  • Fake bank, legal, software, accounting, or IT calls
  • Unusual client or vendor complaints
  • Fake social media profiles
  • New domains or email addresses impersonating the business
  • Messages referencing real breached information

Warn employees, vendors, clients, and family members where impersonation risk is likely. A breach involving one person or one system may become a scam against someone else.

Bottom line

After a breach, assume exposed information will be used to sound legitimate.

Secure the accounts that control recovery. Stop payment changes until verified. Preserve evidence. Reduce public exposure. Monitor for follow-on scams. Verify every unexpected request through a trusted, separate channel.

Countervail examines cyber incidents through an adversary-informed lens, identifying the exposed information, trust pathways, operational pressure points, and decision conditions criminals use to turn a breach into financial loss, account takeover, impersonation, or repeat compromise.

Discover more from Countervail

Subscribe now to keep reading and get access to the full archive.

Continue reading